CVE Tools

CVE-2026-43503

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Published: May 23, 2026Updated: Jul 2, 2026 Sources: CVE List NVDNVD-CWE-noinfo

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes. Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change. The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker. The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently. The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.

In plain language

AI Worth attention

This is a Linux kernel flaw that can let a local user with network capabilities write into protected file page memory and potentially gain root; most small businesses aren’t affected unless you run Linux servers exposed to untrusted local users or tenants—this needs patching but it’s not an internet-only issue.

Executive summary

In the Linux kernel, certain skb fragment-copy/shift helpers fail to propagate the shared-frag marker, causing ESP input (esp4.c/esp6.c) and similar in-place writers to incorrectly believe pages aren’t shared; attackers can use a local packet duplication path (for example an nft “dup to <local>” rule / nf_dup_ipv4() / xt_TEE caller) to reach a condition where unprivileged code can corrupt page-cache-backed memory and escalate privileges (CVE-2026-43503).

If affected, business impact
Local users may gain rootPotential kernel memory corruptionFull system takeoverService disruption risk

What to do now

  1. Check your Linux kernel version (for example with uname -r) and compare it to the fixed commits/branches listed by your distribution.
  2. Identify whether your setup includes the packet paths described in the issue: ESP input (esp4.c/esp6.c) and any nft “dup to ” (or other nf_dup_ipv4()/xt_TEE usage).
  3. If you are vulnerable, upgrade/patch your Linux kernel to include the fix; use one of the fixed revisions: fbeab9555564a1b98e8582cd106dfe46c4606991, 179f1852bdedc300e373e807cc102cd81feff196, 12401fcfb01f53ccc63ab0a3246570fe8f3105ee, 989214c66884d70716d83dc1d0bf5e16287bf349, fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8, ff375cc75f9167168db38e0464a482d5fbc8d81d, 9bc9d6d6967a2239aa57af2aa53554eddd640d20, or 48f6a5356a33dd78e7144ae1faef95ffc990aae0 (or your vendor’s kernel package that contains these fixes).
  4. After upgrading, validate that your nft/ESP-related configurations still work, and re-check that you’re on a fixed kernel build.
Patch / advisory Usually a quick update

CVSS Vector Breakdown

AV:LAC:LPR:LUI:NS:CC:HI:HA:H
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

Linux
oss-projectaka the linux kernel
and 1 more affected products View all →

Exploitability

Official Patch Available

References

and 38 more references View all →
5

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-43503 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows